According to FINRA, Citi's negligence in adequately supervising Tamara Moon, a former sales assistant at a Citi branch in Palo Alto, Calif., resulted in $749,978 being skimmed from the accounts of 22 Citi customers. Moon allegedly falsified account records and performed unauthorized trades that targeted elderly, ill or "otherwise vulnerable" accountholders.

FINRA in August 2009 barred Moon from the securities industry when it launched its investigation. On Tuesday, FINRA said its investigators had determined that Citi failed to detect or investigate a series of so-called red flags that should have alerted the bank to Moon's fraudulent use of customer funds. The red flags included exception reports that highlighted conflicting information in new account applications, as well as customer account records that reflected suspicious funds transfers between unrelated accounts.

FINRA says Citi also failed to implement reasonable systems and controls regarding supervisory review of customer accounts, which enabled Moon to falsify new account applications and other records.

Citi, which did not reveal the name of the former employee, says it is cooperating with authorities to ensure the individual responsible is prosecuted to the fullest extent of the law. "In 2008, upon discovering suspicious activity by a former Smith Barney employee, we immediately notified the authorities, terminated her employment and reimbursed impacted clients," says Citi spokeswoman Elizabeth Fogarty. "Protecting our customers is paramount and fraudulent behavior will not be tolerated."

The fine comes just more than a month after federal authorities involved in a separate internal fraud investigation arrested a former Citi executive for the role he allegedly played in embezzling more than $19 million from the bank and its customers.

Investigators believe that between July 2010 and December 2010, Foster moved $900,000 from Citigroup's interest expense account and $14.4 million from its debt adjustment account into the bank's cash account. From there, in eight separate wire transfers, he allegedly had funds routed to an outside, personal account.

Shirley Inscoe, author of "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says Citi is not alone. Most banks have done a poor job of keeping up with internal threats. [See Database Security Policies Needed.]

"With the economic downturn, I think many banks have cut back on their internal controls and fraud detection because of very tight budgets," Inscoe says. "Any other bank could have just as easily been victimized."

In May, an internal breach at Bank of America led to the compromise customer accountholder information.

"I have seen and heard that several times over the last two to three years. Banks saying, 'If we had not cut back on this or that, we would have caught this sooner," Inscoe says.

In the Moon case, FINRA says Citi should have detected the suspicious activity involving transfers and disbursements in the accounts. "In one incident, Moon misappropriated nearly $80,000 from an elderly widow's account," FINRA says. "An exception report highlighted two address discrepancies in the customer's account documents where the street address did not correspond to the city and zip code provided for the address, and the telephone prefix did not match the zip code of the address. Moon, who had entered the account information, attempted to explain to Citigroup that the discrepancies arose because the client had moved to Arizona, an explanation that did not seem reasonable."